Connect with us

Hi, what are you looking for?


Malware & Threats

New Remaiten Malware Builds Botnet of Linux-Based Routers

Remaiten Linux Bot Targets Routers and Potentially Other Embedded (IoT) Devices

A new piece of malware is targeting embedded systems with the mission to compromise and make them part of a botnet, ESET security researchers have discovered.

Remaiten Linux Bot Targets Routers and Potentially Other Embedded (IoT) Devices

A new piece of malware is targeting embedded systems with the mission to compromise and make them part of a botnet, ESET security researchers have discovered.

Dubbed “Remaiten” (Linux/ Remaiten), the new threat combines the capabilities of previously spotted Tsunami (also known as Kaiten) and Gafgyt malware and also brings a series of improvements and new features. According to ESET, three versions of Remaiten have already emerged, while the malware authors call their creation “KTN-Remastered” or “KTN-RM.”

One of the capabilities that Remaiten borrows from Gafgyt is telnet scanning, though Remaiten enjoys a series of improvements, ESET’s Michal Malik explains in a blog post. Both, however, rely on improperly secured devices to successfully infect them.

Gafgyt attempts to connect to random routers via port 23, which it then issues a shell command to download bot executables for multiple architectures and tries to run them. Remaiten, on the other hand, carries downloaders for CPU architectures commonly used in embedded Linux devices, then tries to trigger the device’s platform to drop only the appropriate downloader.

When executed, the bot runs in the background and changes its process name to look legitimate, with two versions using “-bash” for that (namely Remaiten 2.0 and 2.1), and the third (version 2.2) using “-sh.” Next, using the create_daemon function, the bot creates a file named “.kpid” in one of the predefined daemon directories and writes its PID to a file.

The bot binaries include a hardcoded list of C&C server IP addresses, and the malware chooses one at random and connects to it on a hardcoded port (the port is different from one variant to another). Upon successful connection to the C&C server, the bot checks-in on the IRC channel, and the server replies with a welcome message and further instructions.

Advertisement. Scroll to continue reading.

There are various IRC commands that the bot supports, one of which is “PRIVMSG,” used to instruct the bot to perform nefarious operations such as flooding, downloading files, and telnet scanning. According to ESET researchers, most of these capabilities come from the Linux/Tsunami malware, while the rest were borrowed from Linux/Gafgyt.

The bot sends to the C&C server information such as device’s IP address, the successful username and password pair, and whether it infected the other device or not. The malware also supports a “KILLBOTS” command, which allows it to enumerate running processes and kill some of them based on a few criteria, mainly because of their names.

Researchers also discovered that Remaiten version 2.2 includes a wget/tftp command to download a shell script that downloads the bot binaries, including files that target platforms such as PowerPC and SuperH. This proves that bad actors are ready for any situation, as they went into the trouble of compiling their malware for these architectures.

Additional technical details are available from ESET.

Related: Tens of Thousands of Routers, IP Cams Infected by Vigilante Malware

Related: Large DDoS Botnet Powered by Routers Infected With “Spike” Malware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...